Alan Cox wrote:> The problem is that most sensitive data is user space anyway.> GFP_SENSITIVE or kzfree mean you have to get it right in the kernel and> you don't fix things like stack copies of sensitive data - its a quick> hack which doesn't meet goot security programming practice -it defaults> to insecure which is the wrong way around. Not saying its not a bad idea> to kzfree a few keys and things *but* it's not real security.> > If you want to do real security you have a sysfs or build flag that turns> on clearing every page on free. Yes it costs performance (a lot less> nowdays with cache bypassing stores) but for the category of user who> wants to be sure nothing escapes it does the job while kzfree would be> like trying to plug leaks in a sieve.

Yup, your suggestion would make one simple patch, for sure. I wonder if anyone is actually prepared to enable the thing at run-time, though, which is why I suggested doing the "critical" kzfree() ones unconditionally.